Description

If a file of user details is uploaded, and the option is taken for moodle to create the passwords, and email them to the users, the emails are sent out to totally the wrong addresses. Instead of being sent to the address in the user record, it ends up being sent to something like: f5d1278e8109edd94e1e4197e04873b9@dsint01.pteppic.net (from a test on one of our sites - this is also affecting a client site, also 1.9.7 =, on a different server). This address of course is not recognised, and so the mail bounces.

So, why is the address in the user record not being used?

All of the settings are standard - the server is using an instance of postfix, locally, to sent smtp mail, via the standard default mail mechanism.

Emails sent via forums, or in bulk user actions, work OK. It just seems to be the code that initially sends out the passwords that has this problem.

Dan Poltawski
added a comment - 24/Feb/10 6:16 AM Hi Sean,
I can't reproduce this issue or see a code path which generates this problem, the closest thing seems to be perhaps a generated messageid.
The to address you seem to point out looks like a message id ather than from address. Here are sample headers i've jsut generated:
From www-data@moodle Thu Jan 28 10:53:12 2010
Received: from www-data by moodle with local (Exim 4.69)
(envelope-from <www-data@moodle>)
id 1NaRzs-0004Uy-2W
for talktodan@gmail.com; Thu, 28 Jan 2010 10:53:12 +0000
To: talktodan@gmail.com
Subject: test: New user account
Date: Thu, 28 Jan 2010 10:53:11 +0000
From: "Admin User " <test@test.com>
Message-ID: <31feb1a9d0a5d0aef6332ea2f25d1ca2@moodle.dev>
X-Priority: 3
X-Mailer: PHPMailer [version Moodle 2007101571.04]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
Sender: www-data <www-data@moodle>
Hi firstname lastname,
A new account has been created for you at 'test'
and you have been issued with a new temporary password.
Your current login information is now:
username: firstname
password: rock8stop
(you will have to change your password
when you login for the first time)
To start using 'test', login at
http://moodle.dev/login/
In most mail programs, this should appear as a blue link
which you can just click on. If that doesn't work,
then cut and paste the address into the address
line at the top of your web browser window.
Cheers from the 'test' administrator,
Admin User
:

Sean Keogh
added a comment - 24/Feb/10 3:21 PM Hi Dan,
Yes I know, it looks like a messageid to me too. But we were seeing it in a bounce message as an actual address, which seems very odd.
I will investigate further. THanks, Dan.
Sean K

I came across this issue today as well. There doesn't seem to be any consistency because out of half a dozen attempts to upload users, one worked and 5 didn't. Here's the bounce email where the server tries to append the domain to the address. What's interesting is that the username is shows the email address with some random number after it instead of the username.

The original message was received at Mon, 13 Sep 2010 18:00:04 +1000
from root@localhost

An online training account has been created at 'World Vision Australia' using
your email address and you now have access to log in and commence training. The
username you have been allocated will remain yours for the duration of your
access to the site and you have been issued a temporary password. When you
first log in to the online site you will be prompted to change your password.

In most mail programs, this should appear as a blue link which you can just
click on. If that doesn't work, cut and paste the address into the address line
at the top of your web browser window. You DO NOT need to type in www at the
start of the site address.

Anthony O'Connell
added a comment - 13/Sep/10 6:14 PM I came across this issue today as well. There doesn't seem to be any consistency because out of half a dozen attempts to upload users, one worked and 5 didn't. Here's the bounce email where the server tries to append the domain to the address. What's interesting is that the username is shows the email address with some random number after it instead of the username.
The original message was received at Mon, 13 Sep 2010 18:00:04 +1000
from root@localhost
----- The following addresses had permanent fatal errors -----
d0e96b79469d6e6478bddab875a8b31b
(reason: 550 5.1.1 <d0e96b79469d6e6478bddab875a8b31b@mail.traininggroup.com.au>... User unknown)
(expanded from: d0e96b79469d6e6478bddab875a8b31b)
----- Transcript of session follows -----
... while talking to [127.0.0.1] :
DATA
<<< 550 5.1.1 <d0e96b79469d6e6478bddab875a8b31b@mail.traininggroup.com.au>... User unknown
550 5.1.1 d0e96b79469d6e6478bddab875a8b31b... User unknown
<<< 503 5.0.0 Need RCPT (recipient)
Reporting-MTA: dns; mail.traininggroup.com.au
Arrival-Date: Mon, 13 Sep 2010 18:00:04 +1000
Final-Recipient: RFC822; d0e96b79469d6e6478bddab875a8b31b@mail.traininggroup.com.au
Action: failed
Status: 5.1.1
Remote-MTA: DNS; [127.0.0.1]
Diagnostic-Code: SMTP; 550 5.1.1 <d0e96b79469d6e6478bddab875a8b31b@mail.traininggroup.com.au>... User unknown
Last-Attempt-Date: Mon, 13 Sep 2010 18:00:05 +1000
From: "Administrator " <admin@traininggroup.com.au>
Date: 13 September 2010 6:00:04 PM AEST
To: d0e96b79469d6e6478bddab875a8b31b
Subject: Site: New User Account
Hi Anthony James,
An online training account has been created at 'World Vision Australia' using
your email address and you now have access to log in and commence training. The
username you have been allocated will remain yours for the duration of your
access to the site and you have been issued a temporary password. When you
first log in to the online site you will be prompted to change your password.
Your current login information is:
<strong>username</strong>: anthony@zenius.com.au.1284357892
<strong>password</strong>: e/wx4FG3
To start using 'Site', login at
http://wva.traininglink.com.au/login/
In most mail programs, this should appear as a blue link which you can just
click on. If that doesn't work, cut and paste the address into the address line
at the top of your web browser window. You DO NOT need to type in www at the
start of the site address.
If you need help, please contact the site administrator.
Administrator
admin@traininggroup.com.a

Actually, to me, that looks like the password hash. What mechanism would allow moodle to use the password hash instead of the email address to send out the new account details? That would seem to be a bit of a security issue. Comments guys?

Anthony O'Connell
added a comment - 13/Sep/10 6:20 PM Actually, to me, that looks like the password hash. What mechanism would allow moodle to use the password hash instead of the email address to send out the new account details? That would seem to be a bit of a security issue. Comments guys?

When you upload users from a file and tell Moodle to create a password if needed, Moodle creates a empty password field in the database that it fills when the cron.php is next run (at whatever frequency you set it to run)

When you delete a user in Moodle, their username is replaced with their email address plus a short random number and their email address is replaced with a long random number that looks a bit like a password hash

Is it possible the impatience is the problem here? After you upload users, no email arrives so you delete the user. The next time the cron runs, the new password is sent to the long random number and the username is the email address with the short random number appended. Looking for some logic here so let me know if this is a possibility.

Question: would Moodle still try to create a password (for any account with no password) and email it out even if the user's account was set as deleted?

Anthony O'Connell
added a comment - 13/Sep/10 6:56 PM Following some logic here...
When you upload users from a file and tell Moodle to create a password if needed, Moodle creates a empty password field in the database that it fills when the cron.php is next run (at whatever frequency you set it to run)
When you delete a user in Moodle, their username is replaced with their email address plus a short random number and their email address is replaced with a long random number that looks a bit like a password hash
Is it possible the impatience is the problem here? After you upload users, no email arrives so you delete the user. The next time the cron runs, the new password is sent to the long random number and the username is the email address with the short random number appended. Looking for some logic here so let me know if this is a possibility.
Question: would Moodle still try to create a password (for any account with no password) and email it out even if the user's account was set as deleted?

Michael de Raadt
added a comment - 05/Jan/12 1:52 PM Thanks for reporting this issue.
We have detected that this issue has been inactive for over a year has been recorded as affecting versions that are no longer supported.
If you believe that this issue is still relevant to current versions (2.1 and beyond), please comment on the issue. Issues left inactive for a further month will be closed.
Michael d;
lqjjLKA0p6

I'm closing this issue as it appears to have become inactive and is probably not relevant to a current supported version. If you are encountering this problem or one similar, please launch a new issue.

Michael de Raadt
added a comment - 06/Feb/12 4:35 PM I'm closing this issue as it appears to have become inactive and is probably not relevant to a current supported version. If you are encountering this problem or one similar, please launch a new issue.